The present invention relates generally to a system and method for the monitoring of email and other message traffic on a network. The intent of the monitoring to determine if message traffic is abnormal, thus indicating unwanted messages such as spam. A number of methods may be utilized by the invention to recognize unwanted messages, including the calculation of fanout, the number of messages sent by a unique host, unique email address or domain. Also included is fanin, the number of messages received from unique hosts, unique domains or unique email addresses. Further components consider the number of error messages received from a host, variations in bandwidth from a host, and variations in message content from a host.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting a source or destination of abnormal message traffic on a network, said method comprising: tracking messages between a plurality of sources and a plurality of destinations, wherein tracking messages comprises: determining the source and destination of a message; generating a source and destination pair counter for each source and destination pair; incrementing the source and destination pair counter based on at least some of the messages and an amount of messages between said source and said destination; determining a bandwidth variation of a rate of messages to a destination, wherein determining the bandwidth variation comprises: generating a bandwidth counter for each destination; updating the bandwidth counter based on the rate of messages to a destination; and determining if a predetermined amount of time has passed; and comparing values in the source and destination pair counter to a predetermined source and destination pair threshold and comparing values in the bandwidth counter to a predetermined steady rate of messages after the predetermined amount of time has passed to determine if there is abnormal message traffic related to a source or destination based on both comparisons.
2. The method of claim 1 wherein said traffic is email.
3. The method of claim 1 wherein said traffic comprises HyperText Transfer Protocol messages.
4. The method of claim 1 , wherein the at least some of the messages between said source and said destination comprise messages having similar content based on message content detection.
5. The method of claim 1 , further comprising: generating a report if the source and destination pair counter or the bandwidth counter surpass the predetermined thresholds; and initializing either the source and destination pair counter or the bandwidth counter after the report has been generated.
6. The method of claim 5 further comprising: tracking error messages between the plurality of sources and the plurality of destinations, wherein tracking error messages comprises: determining if an error message is a reject message; generating an error message counter for each source or destinations generating the reject message; and incrementing the error message counter based on the timing of the error messages.
7. A non-transitory computer readable medium, said medium comprising instructions, which when executed on a processor, cause the processor to perform the method of claim 1 .
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 26, 2004
June 16, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.